[pkg-apparmor] Bug#1109826: evince: print preview doesn't work if the papers package is installed: apparmor="DENIED" name="/usr/bin/papers-previewer"

Christian Boltz debian-bugs at cboltz.de
Thu Jul 24 21:33:54 BST 2025 

Hello,

Am Donnerstag, 24. Juli 2025, 21:54 schrieb Simon McVittie:
> On Thu, 24 Jul 2025 at 20:45:28 +0200, Christian Boltz wrote:
> >we need a separate profile for papers-previewer
> 
> We already have one, in the papers package. 

Even better :-)

> >>     /usr/bin/evince-previewer Px,
> >> 
> >> +  /usr/bin/papers-previewer Pix,
> >
> >A Px rule (without the ix fallback) would be better.
> 
> Would that load successfully, but gracefully decline to run
> /usr/bin/papers-previewer (which in practice would not exist), if the
> papers package isn't installed?

Right, the profile will load successfully.

If evince tries to execute papers-previewer, and that profile isn't 
loaded, the exec will be denied and audit.log will log the denial with 
something like "target profile doesn't exist".

> I thought that falling back to "same access to things that evince
> would already have had" would be less bad than falling back to "can't
> run at all". Running arbitrary code with "ix" is no worse for
> hardening purposes than the same code being in-process, after all...

I get your theory.
In practise, it depends - does the target profile grant more or less 
permissions than the current profile?
(There's also the risk that denials will be reported for the "wrong" 
profile if the ix fallback gets used, so the evince profile might get 
permissions added that are only needed for papers-previewer.)

> evince needs to work normally if papers is not installed, in which
> case print preview should get ENOENT when attempting to run
> papers-previewer, and fall back to evince-previewer, the same as it
> would do in the absence of AppArmor.

As long as "papers-previewer is installed" also means "the AppArmor 
profile for papers-previewer is loaded", everything should work as you 
expect.


Regards,

Christian Boltz
-- 
[19:31] <suseROCKs> #info anditosan just text that he took a sleeping
       pill last night and is trying to wake up to get to the meeting...
[19:31] <suseROCKs> :-D
[19:31] --> anditosan joined the channel (~ytoox at 67.214.243.90).
[19:32] <shayonj> hah , there he is
[19:32] <suseROCKs> anditosan is going to *LOVE* reading the minutes
        after this meeting!
[from #opensuse-project]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20250724/de093d31/attachment-0001.sig>

More information about the pkg-apparmor-team mailing list